TURKTRUST Incident Shows That Certificate-Based Attacks Are a Preferred Vector

Experts from Venafi and Sophos share some valuable insight on the matter

TURKTRUST incident shows that certificate-based attacks have become a preferred vector

Most major browser vendors – including Mozilla, Microsoft and Google – are rushing to block the certificates issued by Turkish certificate authority TURKTRUST. The company admitted that it erroneously issued intermediate certificates instead of normal site certificates back in August 2011.

The main concern was that the intermediate certificates were utilized to create a fake Google certificate which was used to perform man-in-the-middle attacks.

Experts say that this incident highlights a couple of important aspects about digital certificates and their issuing authorities.

Jeff Hudson, CEO of Venafi – the leading provider of enterprise key and certificate management (EKCM) solutions – explains that “TURKTRUST situation is further evidence that cyber criminals are using their attacks on certificate authorities (CAs) to perpetrate man-in-the-middle and phishing attacks.”

“Enterprises need to recognize that certificate-based attacks are no longer hypothetical and have become a preferred attack vector. Every organization needs to be prepare for this inevitable fact of IT security life,” Hudson told Softpedia.

“Recent guidance from NIST provides the clear roadmap for organizations to prepare for an attack on their internal or external CAs and how to respond. These attacks demand a response within minutes, otherwise any enterprise from a bank to retailer to manufacturer is vulnerable to costly breaches and brand damage.”

According to the expert, this incident clearly shows that organizations must be prepared.

“CAs must recognize the drastic implications of mistakenly issuing a certificate and there must be steps taken by the industry to prevent such security lapses,” he said.

On the other hand, Sophos Senior Security Advisor Chester Wisniewski believes that the entire system is poorly implemented and that the industry should move on.

“Whether it is the Public Key Pinning Extension for HTTP, Convergence, Trusted Assertions for Certificate Keys (TACK) or DNSSEC-TLS, we've got to pick something and start implementing it,” Wisniewski explained.

“It doesn't need to be perfect to beat what we have. We have had fun arguing the merits and weaknesses of these proposals for ten years at conferences. It's high time we get to work.”